diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-12-06 21:27:25 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-12-06 21:27:25 +0800 |
| commit | 030603579f6c0207ada8944a91ad301d924af914 (patch) | |
| tree | b390b0ff3529f834027f3e4748145d9efaa983d5 | |
| parent | 158cbbcb117140c4de0e49cda91f52a3b8c018a6 (diff) | |
| download | dropbear-030603579f6c0207ada8944a91ad301d924af914.tar.gz | |
fuzz: work around fuzz_connect_remote() limitations
| -rw-r--r-- | cli-tcpfwd.c | 4 | ||||
| -rw-r--r-- | fuzz/fuzz-common.c | 6 | ||||
| -rw-r--r-- | svr-tcpfwd.c | 4 |
3 files changed, 10 insertions, 4 deletions
diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index e6387d9..4ab7748 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -273,11 +273,11 @@ static int newtcpforwarded(struct Channel * channel) { origaddr, origport); goto out; } + + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; snprintf(portstring, sizeof(portstring), "%u", fwd->connectport); channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS; diff --git a/fuzz/fuzz-common.c b/fuzz/fuzz-common.c index b43ba9b..f251e81 100644 --- a/fuzz/fuzz-common.c +++ b/fuzz/fuzz-common.c @@ -238,6 +238,12 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), connect_callback cb, void* cb_data, const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { + /* This replacement for connect_remote() has slightly different semantics + to the real thing. It should probably be replaced with something more sophisticated. + It calls the callback cb() immediately rather than + in a future session loop iteration with set_connect_fds()/handle_connect_fds(). + This could cause problems depending on how connect_remote() is used. In particular + the callback can close a channel - that can cause use-after-free. */ char r; genrandom((void*)&r, 1); if (r & 1) { diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index 9a2310d..879de7e 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -284,10 +284,10 @@ static int newtcpdirect(struct Channel * channel) { goto out; } + channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; + snprintf(portstring, sizeof(portstring), "%u", destport); channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL); - - channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; err = SSH_OPEN_IN_PROGRESS; |